Refresh Azure Red Hat OpenShift roles

rolyon · rolyon · commit 64e55a80f765 · 2025-03-22T16:10:16.000-07:00
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -213,7 +213,7 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='azure-red-hat-openshift-cloud-controller-manager'></a>[Azure Red Hat OpenShift Cloud Controller Manager](./built-in-roles/containers.md#azure-red-hat-openshift-cloud-controller-manager) | Manage and update the cloud controller manager deployed on top of OpenShift. | a1f96423-95ce-4224-ab27-4e3dc72facd4 |
 > | <a name='azure-red-hat-openshift-cluster-ingress-operator'></a>[Azure Red Hat OpenShift Cluster Ingress Operator](./built-in-roles/containers.md#azure-red-hat-openshift-cluster-ingress-operator) | Manage and configure the OpenShift router. | 0336e1d3-7a87-462b-b6db-342b63f7802c |
 > | <a name='azure-red-hat-openshift-disk-storage-operator'></a>[Azure Red Hat OpenShift Disk Storage Operator](./built-in-roles/containers.md#azure-red-hat-openshift-disk-storage-operator) | Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Disks. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters. | 5b7237c5-45e1-49d6-bc18-a1f62f400748 |
-> | <a name='azure-red-hat-openshift-federated-credential'></a>[Azure Red Hat OpenShift Federated Credential](./built-in-roles/containers.md#azure-red-hat-openshift-federated-credential) | Update cluster managed identities with a federated credential to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account. | ef318e2a-8334-4a05-9e4a-295a196c6a6e |
+> | <a name='azure-red-hat-openshift-federated-credential'></a>[Azure Red Hat OpenShift Federated Credential](./built-in-roles/containers.md#azure-red-hat-openshift-federated-credential) | Create, update and delete federated credentials on user assigned managed identities in order to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account. | ef318e2a-8334-4a05-9e4a-295a196c6a6e |
 > | <a name='azure-red-hat-openshift-file-storage-operator'></a>[Azure Red Hat OpenShift File Storage Operator](./built-in-roles/containers.md#azure-red-hat-openshift-file-storage-operator) | Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Files. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters. | 0d7aedc0-15fd-4a67-a412-efad370c947e |
 > | <a name='azure-red-hat-openshift-image-registry-operator'></a>[Azure Red Hat OpenShift Image Registry Operator](./built-in-roles/containers.md#azure-red-hat-openshift-image-registry-operator) | Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage. | 8b32b316-c2f5-4ddf-b05b-83dacd2d08b5 |
 > | <a name='azure-red-hat-openshift-machine-api-operator'></a>[Azure Red Hat OpenShift Machine API Operator](./built-in-roles/containers.md#azure-red-hat-openshift-machine-api-operator) | Manage the lifecycle of specific-purpose custom resource definitions (CRD), controllers, and Azure RBAC objects that extend the Kubernetes API to declares the desired state of machines in a cluster. | 0358943c-7e01-48ba-8889-02cc51d78637 |
diff --git a/articles/role-based-access-control/built-in-roles/containers.md b/articles/role-based-access-control/built-in-roles/containers.md
@@ -2166,6 +2166,10 @@ Manage and update the cloud controller manager deployed on top of OpenShift.
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPAddresses/write | Creates a public IP address or updates an existing public IP address.  |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/publicIPPrefixes/join/action | Joins a PublicIPPrefix. Not alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/applicationSecurityGroups/joinNetworkSecurityRule/action | Joins a Security Rule to Application Security Groups. Not alertable. |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |
@@ -2196,7 +2200,11 @@ Manage and update the cloud controller manager deployed on top of OpenShift.
         "Microsoft.Network/publicIPAddresses/read",
         "Microsoft.Network/publicIPAddresses/write",
         "Microsoft.Network/virtualNetworks/subnets/join/action",
-        "Microsoft.Network/virtualNetworks/subnets/read"
+        "Microsoft.Network/virtualNetworks/subnets/read",
+        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
+        "Microsoft.Network/networkSecurityGroups/join/action",
+        "Microsoft.Network/publicIPPrefixes/join/action",
+        "Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action"
       ],
       "notActions": [],
       "dataActions": [],
@@ -2327,14 +2335,15 @@ Install Container Storage Interface (CSI) drivers that enable your cluster to us
 
 ## Azure Red Hat OpenShift Federated Credential
 
-Update cluster managed identities with a federated credential to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account.
+Create, update and delete federated credentials on user assigned managed identities in order to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account.
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
 > | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/read | Gets an existing user assigned identity |
 > | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/federatedIdentityCredentials/write | Add or update a Federated Identity Credential |
 > | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/federatedIdentityCredentials/read | Get or list Federated Identity Credentials |
+> | [Microsoft.ManagedIdentity](../permissions/identity.md#microsoftmanagedidentity)/userAssignedIdentities/federatedIdentityCredentials/delete | Delete a Federated Identity Credential |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |
@@ -2347,15 +2356,16 @@ Update cluster managed identities with a federated credential to build a trust r
   "assignableScopes": [
     "/"
   ],
-  "description": "Update cluster managed identities with a federated credential to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account.",
+  "description": "Create, update and delete federated credentials on user assigned managed identities in order to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account.",
   "id": "/providers/Microsoft.Authorization/roleDefinitions/ef318e2a-8334-4a05-9e4a-295a196c6a6e",
   "name": "ef318e2a-8334-4a05-9e4a-295a196c6a6e",
   "permissions": [
     {
       "actions": [
         "Microsoft.ManagedIdentity/userAssignedIdentities/read",
         "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
-        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read"
+        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
+        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete"
       ],
       "notActions": [],
       "dataActions": [],
@@ -2386,6 +2396,8 @@ Install Container Storage Interface (CSI) drivers that enable your cluster to us
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/routeTables/join/action | Joins a route table. Not Alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/natGateways/join/action | Joins a NAT Gateway |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |
@@ -2414,7 +2426,9 @@ Install Container Storage Interface (CSI) drivers that enable your cluster to us
         "Microsoft.Storage/storageAccounts/write",
         "Microsoft.Network/networkSecurityGroups/join/action",
         "Microsoft.Network/virtualNetworks/subnets/read",
-        "Microsoft.Network/virtualNetworks/subnets/write"
+        "Microsoft.Network/virtualNetworks/subnets/write",
+        "Microsoft.Network/routeTables/join/action",
+        "Microsoft.Network/natGateways/join/action"
       ],
       "notActions": [],
       "dataActions": [],
@@ -2531,6 +2545,10 @@ Manage the lifecycle of specific-purpose custom resource definitions (CRD), cont
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/read | Get the virtual network definition |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
 > | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/applicationSecurityGroups/joinNetworkSecurityRule/action | Joins a Security Rule to Application Security Groups. Not alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/frontendIPConfigurations/join/action | Joins a Load Balancer Frontend IP Configuration. Not alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/loadBalancers/inboundNATRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. |
+> | [Microsoft.Network](../permissions/networking.md#microsoftnetwork)/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
 > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
 > | **NotActions** |  |
 > | *none* |  |
@@ -2582,6 +2600,10 @@ Manage the lifecycle of specific-purpose custom resource definitions (CRD), cont
         "Microsoft.Network/virtualNetworks/read",
         "Microsoft.Network/virtualNetworks/subnets/join/action",
         "Microsoft.Network/virtualNetworks/subnets/read",
+        "Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action",
+        "Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action",
+        "Microsoft.Network/loadBalancers/inboundNATRules/join/action",
+        "Microsoft.Network/networkSecurityGroups/join/action",
         "Microsoft.Resources/subscriptions/resourceGroups/read"
       ],
       "notActions": [],
